[c-nsp] Switch ingress policy drops on Cisco ASA 5505

Daniel Dib daniel.dib at reaper.nu
Sun May 1 01:25:02 EDT 2011 

Hi,

I'm having some trouble with a Cisco ASA 5505. It is performing very badly
and I'm whondering if switch ingress policy drops can have this impact on
performance? The topology is quite simple.

Cisco ASA 5505 - RAD tiny bridge - SDH network - RAD tiny bridge - Cisco
Catalyst 3560-X - Cisco ASA 5510

So basically it's a leased line kind of setup, the tiny bridges convert the
signal to Ethernet. I had to hardcode these to 10 Mbit full duplex since
they don't handle auto negotiation very well. This is the configuration from
the Catalyst switch and packet counters.

sh run int gi0/18
Building configuration...

Current configuration : 335 bytes
!
interface GigabitEthernet0/18
 description removed
 switchport trunk encapsulation dot1q
 switchport trunk allowed vlan 172
 switchport mode trunk
 speed 10
 duplex full
 no cdp enable
 spanning-tree portfast trunk
 spanning-tree bpdufilter enable
 spanning-tree bpduguard enable
end

sh int gi0/18
GigabitEthernet0/18 is up, line protocol is up (connected) 
  Hardware is Gigabit Ethernet, address is d0d0.fd24.bd12 (bia
d0d0.fd24.bd12)
  Description: removed
  MTU 1500 bytes, BW 10000 Kbit, DLY 1000 usec, 
     reliability 255/255, txload 1/255, rxload 4/255
  Encapsulation ARPA, loopback not set
  Keepalive set (10 sec)
  Full-duplex, 10Mb/s, media type is 10/100/1000BaseTX
  input flow-control is off, output flow-control is unsupported 
  ARP type: ARPA, ARP Timeout 04:00:00
  Last input 20:34:32, output 00:00:02, output hang never
  Last clearing of "show interface" counters 19:08:04
  Input queue: 0/75/0/0 (size/max/drops/flushes); Total output drops: 0
  Queueing strategy: fifo
  Output queue: 0/40 (size/max)
  5 minute input rate 185000 bits/sec, 21 packets/sec
  5 minute output rate 11000 bits/sec, 16 packets/sec
     1580989 packets input, 1543636799 bytes, 0 no buffer
     Received 3 broadcasts (0 multicasts)
     0 runts, 0 giants, 0 throttles
     0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored
     0 watchdog, 0 multicast, 0 pause input
     0 input packets with dribble condition detected
     1078549 packets output, 101138920 bytes, 0 underruns
     0 output errors, 0 collisions, 0 interface resets
     0 babbles, 0 late collision, 0 deferred
     0 lost carrier, 0 no carrier, 0 PAUSE output
     0 output buffer failures, 0 output buffers swapped out

The leased line is at 512 kbit/s and you can se that we almost never use
more than half of that. The port on the Catalyst looks clean. Then we have
the other end that is a Cisco ASA 5505, this is the configuration and port
stats from there:

sh run int e0/0
!
interface Ethernet0/0
 description removed
 switchport trunk allowed vlan 172
 switchport mode trunk
 speed 10
 duplex full
sh int e0/0
Interface Ethernet0/0 "", is up, line protocol is up
  Hardware is 88E6095, BW 100 Mbps, DLY 100 usec
        Full-Duplex(Full-duplex), 10 Mbps(10 Mbps)
        Input flow control is unsupported, output flow control is
unsupported
        Description: removed
        Available but not configured via nameif
        MAC address c84c.7541.33b2, MTU not set
        IP address unassigned
        906935 packets input, 85622211 bytes, 0 no buffer
        Received 2 broadcasts, 0 runts, 0 giants
        0 input errors, 0 CRC, 0 frame, 0 overrun, 0 ignored, 0 abort
        0 L2 decode drops
        7705 switch ingress policy drops
        1333081 packets output, 1313122660 bytes, 0 underruns
        0 pause output, 0 resume output
        0 output errors, 0 collisions, 0 interface resets
        0 late collisions, 0 deferred
        0 input reset drops, 0 output reset drops
        0 rate limit drops
        0 switch egress policy drops
sh run int vlan 172
!
interface Vlan172
 nameif removed
 security-level 50
 ip address 172.16.1.4 255.255.255.248

You can see that there is 7705 switch ingress policy drops out of 906935
packets totalt, so roughly 0.85% of packets are being dropped. My first
question is if you think this can affect performance? We have issues with
high latency and some packet loss. The other question is, how do I debug
this? According to Cisco they describe switch ingress policy drops like
this:

This drop is usually seen when a port is not configured correctly. This drop
is incremented when a packet cannot be successfully forwarded within switch
ports as a result of the default or user configured switch port settings.
The following configurations are the likely reasons for this drop: 

.The nameif command was not configured on the VLAN interface. 

Note For interfaces in the same VLAN, even if the nameif command was not
configured, switching within the VLAN is successful, and this counter does
not increment. 

.The VLAN is shut down. 

.An access port received an 802.1Q-tagged packet. 

.A trunk port received a tag that is not allowed or an untagged packet. 

.The security appliance is connected to another Cisco device that has
Ethernet keepalives. For example, Cisco IOS software uses Ethernet loopback
packets to ensure interface health. This packet is not intended to be
received by any other device; the health is ensured just by being able to
send the packet. These types of packets are dropped at the switch port, and
the counter increments. 

.The VLAN only has one physical interface, but the DEST of the packet does
not match the MAC address of the VLAN, and it is not the broadcast address.

Nameif is set so it can't be that, VLAN is not shutdown. It is not an
access-port. Trunk that receives tag allowed, not impossible but not likely.
Could it be the Catalyst sending keepalives? The final raeson I don't think
applies here. So either something funky is going on with the tagging or it's
keepalives that are being sent, could this affect performance?

Thanks for your time.

/Daniel

More information about the cisco-nsp mailing list